Incorrect URL/%TOKEN% for forgotten password #694
Description
In version 2.0.5 I face security violation error when I follow the link in Forgotten Password e-mail.
Link is created with default pattern @SiteURL@/public/forgottenpassword/%TOKEN%
In logs I can see that %TOKEN% part of URL fails validation
2023-02-15T12:27:18Z, WARN , util.Validator, stripped potentially harmful chars from value: input=https://<SiteURL>/pwm/public/forgottenpassword/<TOKEN> strippedOutput=https://<SiteURL>/pwm/public/forgottenpassword/....
2023-02-15T12:27:18Z, WARN , http.PwmHttpResponseWrapper, attempt to write cookie 'SESSION' after response is committed
2023-02-15T12:27:18Z, WARN , http.PwmHttpResponseWrapper, attempt to write cookie 'ID' after response is committed2023-02-15T12:27:18Z, ERROR, http.PwmResponse, {txMup} 5063 ERROR_SECURITY_VIOLATION (request URL path segment contains illegal characters)
2023-02-15T12:27:18Z, ERROR, filter.RequestInitializationFilter, {txMup} 5063 ERROR_SECURITY_VIOLATION (request URL path segment contains illegal characters)
As I can see, in logs %TOKEN% value in URL contains %0D (carriage return) symbols, that leads to failed validation.
If I copy/paste %TOKEN% from e-mail to forgotten password field everything works fine.
Version 2.0.4 works fine.
To Reproduce
- Deploy and use PWM
v2.0.5 - Use button "Forgotten password"
- Specify correct e-mail for user to send restoration token
- Press link in e-mail
- Get PWM security violation error